You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
### Upgrades for normalization and the Azure Sentinel Information Model
38
+
39
+
The Azure Sentinel Information Model enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
40
+
41
+
In this month's update, we've enhanced our normalization documentation, providing new levels of detail and full DNS, process event, and authentication normalization schemas.
42
+
43
+
For more information, see:
44
+
45
+
-[Normalization and the Azure Sentinel Information Model (ASIM)](normalization.md) (updated)
Two of our most-used connectors have been the beneficiaries of major upgrades.
56
+
57
+
- The [Windows security events connector (Public preview)](connect-windows-security-events.md) is now based on the new Azure Monitor Agent (AMA), allowing you far more flexibility in choosing which data to ingest, and giving you maximum visibility at minimum cost.
58
+
59
+
- The [Azure activity logs connector](./data-connectors-reference.md#azure-activity) is now based on the diagnostics settings pipeline, giving you more complete data, greatly reduced ingestion lag, and better performance and reliability.
60
+
61
+
The upgrades are not automatic. Users of these connectors are encouraged to enable the new versions.
62
+
63
+
### Export and import analytics rules (Public preview)
64
+
65
+
You can now export your analytics rules to JSON-format Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Azure Sentinel deployments as code. Any type of [analytics rule](detect-threats-built-in.md) - not just **Scheduled** - can be exported to an ARM template. The template file includes all the rule's information, from its query to its assigned MITRE ATT&CK tactics.
66
+
67
+
For more information, see [Export and import analytics rules to and from ARM templates](import-export-analytics-rules.md).
In addition to enriching your alert content with entity mapping and custom details, you can now custom-tailor the way alerts - and by extension, incidents - are presented and displayed, based on their particular content. Like the other alert enrichment features, this is configurable in the [analytics rule wizard](detect-threats-custom.md).
72
+
73
+
For more information, see [Customize alert details in Azure Sentinel](customize-alert-details.md).
74
+
75
+
76
+
### More help for playbooks!
77
+
78
+
Two new documents can help you get started or get more comfortable with creating and working with playbooks.
79
+
-[Authenticate playbooks to Azure Sentinel](authenticate-playbooks-to-sentinel.md) helps you understand the different authentication methods by which Logic Apps-based playbooks can connect to and access information in Azure Sentinel, and when it's appropriate to use each one.
80
+
-[Use triggers and actions in playbooks](playbook-triggers-actions.md) explains the difference between the **incident trigger** and the **alert trigger** and which to use when, and shows you some of the different actions you can take in playbooks in response to incidents, including how to access the information in [custom details](playbook-triggers-actions.md#work-with-custom-details).
81
+
82
+
Playbook documentation also explicitly addresses the multi-tenant MSSP scenario.
83
+
84
+
### New documentation reorganization
85
+
86
+
This month we've reorganized our [Azure Sentinel documentation](index.yml), restructuring into intuitive categories that follow common customer journeys. Use the filtered docs search and updated landing page to navigate through Azure Sentinel docs.
### Upgrades for normalization and the Azure Sentinel Information Model
543
-
544
-
The Azure Sentinel Information Model enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
545
-
546
-
In this month's update, we've enhanced our normalization documentation, providing new levels of detail and full DNS, process event, and authentication normalization schemas.
547
-
548
-
For more information, see:
549
-
550
-
-[Normalization and the Azure Sentinel Information Model (ASIM)](normalization.md) (updated)
Two of our most-used connectors have been the beneficiaries of major upgrades.
561
-
562
-
- The [Windows security events connector (Public preview)](connect-windows-security-events.md) is now based on the new Azure Monitor Agent (AMA), allowing you far more flexibility in choosing which data to ingest, and giving you maximum visibility at minimum cost.
563
-
564
-
- The [Azure activity logs connector](./data-connectors-reference.md#azure-activity) is now based on the diagnostics settings pipeline, giving you more complete data, greatly reduced ingestion lag, and better performance and reliability.
565
-
566
-
The upgrades are not automatic. Users of these connectors are encouraged to enable the new versions.
567
-
568
-
### Export and import analytics rules (Public preview)
569
-
570
-
You can now export your analytics rules to JSON-format Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Azure Sentinel deployments as code. Any type of [analytics rule](detect-threats-built-in.md) - not just **Scheduled** - can be exported to an ARM template. The template file includes all the rule's information, from its query to its assigned MITRE ATT&CK tactics.
571
-
572
-
For more information, see [Export and import analytics rules to and from ARM templates](import-export-analytics-rules.md).
In addition to enriching your alert content with entity mapping and custom details, you can now custom-tailor the way alerts - and by extension, incidents - are presented and displayed, based on their particular content. Like the other alert enrichment features, this is configurable in the [analytics rule wizard](detect-threats-custom.md).
577
-
578
-
For more information, see [Customize alert details in Azure Sentinel](customize-alert-details.md).
579
-
580
-
581
-
### More help for playbooks!
582
-
583
-
Two new documents can help you get started or get more comfortable with creating and working with playbooks.
584
-
-[Authenticate playbooks to Azure Sentinel](authenticate-playbooks-to-sentinel.md) helps you understand the different authentication methods by which Logic Apps-based playbooks can connect to and access information in Azure Sentinel, and when it's appropriate to use each one.
585
-
-[Use triggers and actions in playbooks](playbook-triggers-actions.md) explains the difference between the **incident trigger** and the **alert trigger** and which to use when, and shows you some of the different actions you can take in playbooks in response to incidents, including how to access the information in [custom details](playbook-triggers-actions.md#work-with-custom-details).
586
-
587
-
Playbook documentation also explicitly addresses the multi-tenant MSSP scenario.
588
-
589
-
### New documentation reorganization
590
-
591
-
This month we've reorganized our [Azure Sentinel documentation](index.yml), restructuring into intuitive categories that follow common customer journeys. Use the filtered docs search and updated landing page to navigate through Azure Sentinel docs.
0 commit comments